Description
In src/auth/auth.guard.ts, the canActivate method has been commented to return true unconditionally:
async canActivate(context: ExecutionContext): Promise<boolean> {
// Authentication has been disabled as per request
return true;
}This means every route protected by this guard is completely open — no token verification, no identity check. Since this is the primary auth guard for the entire Hub API (the integration backbone of the OpenLake ecosystem), every proxied request to Campus-Marketplace, Careers Portal, and other services passes through without authentication.
The SupabaseAuthGuard in src/auth/supabase.guard.ts exists and does JWT verification, but it only decodes (not verifies) the token:
const decoded = jwt.decode(token) as any; // jwt.decode does NOT verify signature!
Using jwt.decode() instead of jwt.verify() means any self-signed JWT with any payload is accepted — there is no signature validation against the Supabase secret.
Steps to Reproduce
- Send any request to a protected endpoint with an arbitrary fabricated JWT
- The request passes authentication with no verification
Expected Behavior
Authentication should verify JWT signatures using the Supabase secret and check token expiration and claims.
Suggested Fix
- Re-enable proper authentication in
AuthGuard.canActivate()
- Replace
jwt.decode() with jwt.verify(token, process.env.SUPABASE_JWT_SECRET) in SupabaseAuthGuard
- Add token expiration checking
Affected Files
src/auth/auth.guard.tssrc/auth/supabase.guard.ts
Description
In
src/auth/auth.guard.ts, thecanActivatemethod has been commented to returntrueunconditionally:This means every route protected by this guard is completely open — no token verification, no identity check. Since this is the primary auth guard for the entire Hub API (the integration backbone of the OpenLake ecosystem), every proxied request to Campus-Marketplace, Careers Portal, and other services passes through without authentication.
The
SupabaseAuthGuardinsrc/auth/supabase.guard.tsexists and does JWT verification, but it only decodes (not verifies) the token:Using
jwt.decode()instead ofjwt.verify()means any self-signed JWT with any payload is accepted — there is no signature validation against the Supabase secret.Steps to Reproduce
Expected Behavior
Authentication should verify JWT signatures using the Supabase secret and check token expiration and claims.
Suggested Fix
AuthGuard.canActivate()jwt.decode()withjwt.verify(token, process.env.SUPABASE_JWT_SECRET)inSupabaseAuthGuardAffected Files
src/auth/auth.guard.tssrc/auth/supabase.guard.ts